Last updated: 6th Feb, 2023
Where can I find the most updated GameAnalytics’ terms?
- Our Terms and Conditions, including our Data Protection Agreements, are available at https://gameanalytics.com/terms.
- Our Privacy Notice is available at https://gameanalytics.com/privacy.
What is Personal Data?
According to the EU General Data Protection Regulation 2016/679 (GDPR), “Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.”
This means that not only personally identifiable information like the user’s name, email address, or device ID (IDFA/GAID) is personal data, but any data we can associate with a person, even if we cannot identify that person in the real world.
Any data associated with one individual (or an ID referring to one individual, even if it is a randomly generated ID) is Personal Data – including actions they have taken in a game, such as starting the tutorial, picking a character, beginning or ending a session.
What is GameAnalytics’ status under GDPR?
GameAnalytics and a game developer are Joint Controllers under GDPR (Art. 26), since jointly determine the purposes and means of processing.
- GameAnalytics and game developers jointly determine which types of data form part of the game data and their use;
- Game developers determine which of their games form part of the game data;
- GameAnalytics collects and processes game data for analytics and advertising purposes;
- Game developers may determine how to use game data as independent data controllers, but only once this data has been downloaded from GameAnalytics systems (if applicable).
What kind of data does GameAnalytics collect?
We collect personal data from two categories of individuals:
- Game developers – GameAnalytics’ clients who track the performance of their game(s) with GameAnalytics;
- Game players – the actual players (end-users) of games tracked with GameAnalytics’ SDKs. Please find additional information HERE.
What are game developers’ disclosure obligations?
Game developers must provide an in-app disclosure of data access, collection, use, and sharing. The in-app disclosure:
- Must be within the app itself, not only in the app description or on a website;
- Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
- Must describe the data being accessed or collected;
- Must explain how the data will be used and/or shared;
- Cannot be included with other disclosures unrelated to players personal data collection.
Is GameAnalytics allowed to collect and process this game data?
Yes, as long as:
- game players (end-users) accepted game developers’ terms & conditions for analytics and game optimization purposes. When game developers process personal data for such purposes, they must limit access, collection, use, and sharing of personal players’ data acquired through the GameAnalytics’ SDKs to purposes directly related to providing and improving the features of the game.
- game players (end-users) consented to their data being collected and used for marketing and advertising purposes.
How do game developers get consent to collect this data?
Game developers must ask game players (end-users) for their freely given, specific, informed and unambiguous consent when the game opens and before any data has been sent to GameAnalytics. The consent must include that their data will be used for marketing and advertising purposes. Game developers must also have a publicly available privacy notice and terms & conditions that can be reviewed by game players (end-users).
In-app disclosure must accompany and immediately precede a request for player consent. Game developers must not access, collect or share any personal data until the player consents.
The app’s request for consent:
- Must present the consent dialog clearly and unambiguously;
- Must require affirmative user action (e.g., tap to accept, tick a check-box);
- Must not interpret navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
- Must not use auto-dismissing or expiring messages as a means of obtaining user consent.
How does GameAnalytics verify that game players have consented?
GameAnalytics will audit game developers on a regular basis. The audit process will determine if the game developer has made sufficient effort to ensure that the data collected is obtained and processed in compliance with the applicable data protection laws.
What about individuals under the age of 16?
Parental consent is required to process the personal data of children under the age of 16 for online services.
Example: An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The game developer shall follow these steps:
- Step 1: game developers must determine if the game player is under or over the age of 16 (or alternative age of digital consent).
- Step 2: If the game developer determines that the player is under the age of digital consent or the players state that they are under the age of digital consent, the game developer must inform the player that a parent or guardian needs to consent or authorise the processing before the service is provided to the player. The player is requested to disclose the email address of a parent or guardian.
- Step 3: the game developer contacts the parent or guardian and obtains their consent via email for processing and takes reasonable steps to confirm that the adult has parental responsibility.
- Step 4: in case of complaints, the game developer must take additional steps to verify the age of the player.
Does GameAnalytics store records of consent?
- For game developers – we will store a record of consent in our game developers database and management systems.
- For game players – consent collection and storage is under the sole responsibility of each game developer.
What happens when a game developer fails their audit?
If a game developer is selected for an audit and GameAnalytics determines that they do not collect consent, GameAnalytics will provide a term of 30 days for them to remediate, before blacklisting the game. At the end of the 30 days, GameAnalytics will check in with the game developer to determine if appropriate measures have been implemented.
Can personal data be transferred outside of EU territories?
Yes, but only if appropriate safeguards are in place. GameAnalytics data resides in AWS and GCP. GameAnalytics rely on the EU Standard Contractual Clauses (SCC) (also known as EU Model Clauses) to transfer data to its vendors located in third-countries, since the SCCs provide specific guarantees around transfers of personal data for in-scope services. The EU Model Clauses are used in agreements between service providers (such as AWS) and GameAnalytics to ensure that any personal data leaving the EEA will be transferred in compliance with the applicable privacy laws.
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield Framework for transfers of personal data from the EU to the United States. However, the EU Model Clauses continue to provide a valid mechanism for the transfer of personal data from the EU and EEA, as well as from Switzerland and the United Kingdom.
Are there any restrictions on data retention?
According to GDPR, data must be stored for as little time as possible, and individuals must be clearly informed for how long their data will be retained.
GDPR specifies: “You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).
Chinese PIPL compliance
PIPL is an acronym for the Personal Information Protection Law (PIPL), a data privacy law passed by China’s National People’s Congress to protect the data privacy of natural persons based in the People’s Republic of China (hereinafter “China”).
PIPL came into effect on November 1, 2021 and requires players in China to affirmatively consent (“Opt-In”) to have their personal information transferred and processed outside of China. Game developers must ensure their game is using a consent solution to comply with PIPL. Only data from game players who have consented to both ads personalization and to have their personal information transferred outside of China can be processed lawfully.
Please reach out to our Privacy Team at email@example.com